Division of Supervision and Consumer Protection’s Supervisory Actions Taken for Compliance Violations
Report No. 06-024
Results of Audit
DSC identified and reported 9,534 significant compliance violations during 2005. Of the 1,945 financial institutions examined in 2005, 1,607 (83 percent) had been cited with compliance violations deemed significant by the FDIC. Also, 837 (43 percent) of the 1,945 financial institutions examined had repeat, significant violations, of which 708 (85 percent) institutions were rated “1” or “2.”
According to DSC officials, of the institutions examined in 2005, 96 percent were rated “1” or “2,” indicating a strong or generally strong compliance position, while 4 percent were rated “3,” “4” or “5,” indicating various levels of concern. DSC officials stated that the FDIC’s supervisory approach is to increase the level of attention as an institution’s compliance position worsens, and during 2005, DSC downgraded 297 institutions’ compliance ratings, issued 72 informal and 36 formal enforcement actions for compliance, and made 43 compliance referrals to the Department of Justice or other authorities.
However, DSC had not adequately ensured that the financial institutions in our sample had taken appropriate corrective actions for repeat, significant violations that had been cited during examinations. In many cases, consistent with the flexibility allowed by DSC guidance for “1” or “2” rated institutions, DSC waited until the next examination to follow up on repeat, significant compliance violations that had been identified in multiple examinations before taking supervisory action. Specifically, we found that:
As a result of repeat, significant violations, consumers and businesses of the affected institutions may not obtain the benefits and protection afforded them by consumer protection laws and regulations. We also identified certain other matters for DSC’s attention relating to (1) performance goals associated with supervisory actions taken for compliance violations and (2) consideration of an institution’s training program in compliance ratings.
Recommendations and Management Response
The report makes three recommendations for DSC to strengthen its monitoring and follow-up processes by revising guidance on follow-up, considering supervisory action when an institution’s corrective action is not timely or when significant violations recur, and revising its performance goal. DSC’s management will reevaluate applicable guidance; analyze the prevalence and scope of repeatedly cited, significant violations over the next year; and make enhancements or clarifications as necessary. Management’s planned actions are responsive to the recommendations.
TABLE OF CONTENTS
|RESULTS OF AUDIT|
|FOLLOW-UP FOR COMPLIANCE VIOLATIONS|
|DSC Compliance Examination Guidance|
|Follow-up on Identified Violations|
|Repeat, Significant Violations|
|Compliance Management System|
|Examples of Repeat, Significant Violations; CMS Deficiencies; and Supervisory Actions|
|DSC’s 2005 Performance Goals|
|Ratings Consideration of Institution Compliance Training|
|CORPORATION COMMENTS AND OIG EVALUATION|
|APPENDIX I:||OBJECTIVE, SCOPE, AND METHODOLOGY|
|APPENDIX II:||CONSUMER COMPLIANCE RATING SYSTEM|
|APPENDIX III:||SIGNIFICANT AND CONSECUTIVE SIGNIFICANT VIOLATIONS CITED FROM JANUARY 1, 2005 TO DECEMBER 31, 2005|
|APPENDIX IV:||CONSUMER PROTECTION LAWS|
|APPENDIX IV:||CORPORATION COMMENTS|
|APPENDIX IV:||MANAGEMENT RESPONSE TO RECOMMENDATIONS|
|Table 1: Total Significant Violations for the Sampled Institutions|
|Table 2: Supervisory Actions Taken for Significant Violations|
|DATE:||September 29, 2006|
|MEMORANDUM TO:||Sandra L. Thompson, Acting Director|
|Division of Supervision and Consumer Protection|
|FROM:||Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]|
|Assistant Inspector General for Audits|
|SUBJECT:||Division of Supervision and Consumer Protection’s
Supervisory Actions Taken for Compliance Violations
(Report No. 06-024)
This report presents the results of our audit of the FDIC Division of Supervision and Consumer Protection’s (DSC) supervisory actions taken for compliance violations of consumer protection laws and regulations. The overall audit objective was to determine whether DSC adequately addresses the violations and program deficiencies reported in compliance examinations to ensure that FDIC-supervised institutions take appropriate corrective action. Over 20 consumer protection laws and related regulations are addressed by FDIC compliance examinations. For purposes of this audit, we focused on compliance violations related to eight specific areas.[ 1 ] Appendix I of this report discusses our objective, scope, and methodology in detail.
The FDIC has supervisory responsibilities for ensuring that the financial institutions it supervises comply with fair lending, privacy, and various other consumer protection laws and regulations. The compliance examination is the primary means by which the FDIC determines the extent to which a financial institution is complying with these requirements. The FDIC also conducts visitations and investigations. Visitations are used to review the compliance posture of newly chartered institutions coming under FDIC supervision or to follow up on an institution’s progress on corrective actions. Investigations are used to follow up on a particular consumer’s inquiries or complaints.
The compliance examination and follow-up supervisory attention accorded to violations and other program deficiencies[ 2 ] helps to ensure that consumers and businesses obtain the benefits and protections afforded them by law. In addition, violations of some of the laws and regulations give rise to possible civil liability for damages and, in TILA cases, administrative adjustments for understated finance charges or annual percentage rates (APR) on loans. For example, TILA requires institutions to reimburse customers when disclosure errors are identified involving an inaccurate APR or finance charge and that error has resulted in “gross negligence” or a “clear and consistent pattern or practice of violations.” These violations, in certain cases, can also result in civil money penalties. Effective examinations and supervision should help to identify violations and preclude or minimize their recurrence, thereby reducing the potential for penalties or reimbursements.
The presence of violations and the absence of an effective compliance management system (CMS)[ 3 ] to manage a financial institution’s compliance responsibilities also reflect adversely on the institution’s senior bank management and board of directors and may carry over into other areas of management responsibility. Additionally, DSC considers compliance with fair lending, privacy, and other consumer protection requirements when reviewing an application for entry into or expansion within the insured depository institution system.
DSC examiners follow the revised Compliance Examination Procedures (Transmittal No. 2005-035, dated August 18, 2005) in examining institutions for compliance with consumer protection laws and regulations. The FDIC’s compliance examinations blend risk-focused and process-oriented approaches. Risk focusing involves using information gathered about a financial institution to direct FDIC examiner resources to those operational areas that present the greatest compliance risks. The compliance examination procedures state that “a financial institution must develop and maintain a sound CMS that is integrated into the overall management strategy of the institution.” Concentrating on the institution’s internal control infrastructure and methods, or the “process,” used to ensure compliance with federal consumer protection laws and regulations acknowledges that the ultimate responsibility for compliance rests with the institution and encourages examination efficiency.
Compliance examinations are conducted every 12-36 months, depending on an institution’s size and the compliance and Community Reinvestment Act (CRA) ratings assigned at the most recent examination. The FDIC follows the Uniform Interagency Consumer Compliance Rating System approved by the Federal Financial Institutions Examination Council (FFIEC) in 1980. Appendix II discusses the rating system and describes how consumer compliance ratings are defined and distinguished.
RESULTS OF AUDIT
DSC identified and reported 9,534 significant[ 4 ] compliance violations during 2005.[ 5 ] Of the 1,945 financial institutions examined in 2005, 1,607 (83 percent) institutions had been cited with compliance violations deemed significant by the FDIC. Also, 837 (43 percent) of the 1,945 financial institutions examined had repeat,[ 6 ] significant violations, of which 708 (85 percent) institutions were rated “1” or “2.”
According to DSC officials, of the institutions examined in 2005, 96 percent were rated “1” or “2,” indicating a strong or generally strong compliance position, while 4 percent were rated “3,” “4” or “5,” indicating various levels of concern. DSC officials stated that the FDIC’s supervisory approach is to increase the level of attention as an institution’s compliance position worsens, and during 2005, DSC downgraded 297 institutions’ compliance ratings, issued 72 informal and 36 informal enforcement actions for compliance, and made 43 compliance referrals to the Department of Justice or other authorities.
However, DSC had not adequately ensured that the financial institutions in our sample had taken appropriate corrective actions for repeat, significant violations that had been cited during examinations. In many cases, consistent with the flexibility allowed by DSC guidance for “1” or “2” rated institutions, DSC waited until the next examination to follow up on repeat, significant compliance violations that had been identified in multiple examinations before taking supervisory action. Specifically, we found that:
- of the 51 reports of examination (ROE) we reviewed for 14 sampled institutions, DSC cited 431 significant violations related to 8 consumer protection laws and regulations;
- 47 of the 51 ROEs reviewed identified significant compliance violations;
- 5 of the 47 ROEs resulted in informal supervisory actions[ 7 ] and prompted follow-up activities, and 1 visitation for a new FDIC-supervised institution also prompted follow-up activities, but DSC did not follow up on the remaining 41 reports until the next examination;
- 11 of the 14 sampled institutions had repeat, significant violations; and
- all 14 sampled institutions had deficiencies and weaknesses noted in their CMS in at least 1 ROE. Also, DSC had identified serious deficiencies and weaknesses in some of the institutions’ CMSs that remained uncorrected for extended periods.
As a result of these repeat, significant violations, consumers and businesses of the affected institutions may not obtain the benefits afforded them by consumer protection laws and regulations.
We also identified certain other matters that warrant management attention relating to (1) performance goals associated with supervisory actions taken for compliance violations and (2) consideration of an institution’s training program in compliance ratings.
FOLLOW-UP FOR COMPLIANCE VIOLATIONS
DSC often identified and reported significant compliance violations and program deficiencies in multiple examinations over a period of years before taking supervisory action to address repeat violations. DSC’s guidance does not require follow-up between examinations or enforcement actions for institutions that repeatedly violate consumer protection laws and regulations in a manner cited as significant by FDIC examiners. Instead, DSC’s guidance gives staff the flexibility to wait until the next examination to follow up on significant violations, unless the institution is rated a “4” or “5.” As a result, consumers and businesses of the affected institutions may not obtain the benefits and protection afforded them by these laws and regulations.
DSC Compliance Examination Guidance
DSC’s revised Compliance Examination Procedures state that compliance examinations are the primary means the FDIC uses to determine whether a financial institution is meeting its responsibility to comply with the requirements and proscriptions of federal consumer protection laws and regulations.
The Compliance Examination Procedures do not require follow-up between examinations on significant compliance violations. Significant violations include those violations that meet any of the following criteria:
- recurrent and outstanding for an extended period of time;
- affect, or could affect, a large number of transactions or consumers in a way that has, or could have, severe consequences for the consumers or the financial institution;
- continuation of a violation cited at the previous examination and is repeated in exactly the same manner at the current examination; or
- willful act or omission to defeat the purpose of, or circumvent, law or regulation.
The Compliance Examination Procedures state that recommendations by the examiner-in-charge (EIC) for corrective actions that address the specific deficiencies noted in the narrative of the ROE should be appropriate in light of the size and complexity of the institution’s operations. The recommendations should enable the institution to resolve current CMS deficiencies and regulatory violations and to minimize future violations by making improvement to its CMS. Ultimately, the board of directors and management of the institution are responsible for determining the actions they will take to address the examination findings. The EIC should consider identifying by name those individuals who commit to specific corrective actions, in order to assist in follow-up at future examinations.
Follow-up on Identified Violations
For 41 (80 percent) of the 51 ROEs in our sample, DSC did not follow up until the next examination, usually 2 or 3 years later, to determine whether the institution had corrected its significant violations. Of the remaining 10 ROEs, 5 ROEs resulted in informal supervisory action, such as bank board resolutions (BBR)[ 8 ] and memoranda of understanding (MOU)[ 9 ] requiring banks to provide DSC with memoranda or progress reports documenting corrective actions; 2 ROEs were visitations;[ 10 ] and 3 ROEs contained no significant violations.
As shown in Table 1 below, of the 431 significant violations we reviewed, 111 (26 percent) violations were TILA violations and 103 (24 percent) violations were for RESPA violations. Both of these statutes are intended to provide consumers with certain rights dealing with credit and real estate transactions. TILA requires that institutions disclose their terms and cost to consumers who receive credit. The statute also gives consumers the right to rescind certain credit transactions that involve a lien on a consumer’s principal dwelling, regulates certain credit card practices, and provides a means for fair and timely resolution of credit billing disputes. RESPA requires that institutions provide consumers with pertinent and timely disclosures regarding real estate settlement costs. Further, RESPA is intended to protect consumers against certain abusive practices, such as kickbacks, and places limitations on the use of escrow accounts.
Table 1: Total Significant Violations for the Sampled Institutions
|Consumer Protection Laws||Chicago Regional Office
|Kansas City Regional Office
|Boston Area Office (4 Institutions)||Total|
Source: OIG analysis of ROEs for the 14 sampled institutions.
Repeat, Significant Violations
Of the 14 institutions we selected for review, 11 (79 percent) had repeat, significant violations. Seven institutions violated the same consumer protection laws and regulations during three or more consecutive examination cycles. No informal actions were taken for 6 of the 11 institutions. The remaining five institutions were subject to informal supervisory actions. Further, three of the five institutions were again cited with repeat, significant violations when the informal actions were terminated by DSC management.[ 11 ] Consequently, the supervisory actions were not always effective in ensuring that these institutions were in compliance with consumer protection laws and regulations.
According to DSC, examiners consider the circumstances in determining whether a violation is a repeat violation and indicative of a weakness in procedures or a failure to take appropriate corrective action. Often, a violation code can be used in ROEs many times, but its use could be indicative of a number of distinct issues, problems, or causes. DSC violation codes were developed broadly, and DSC stated that a repeat violation at one examination can result from a different set of circumstances than had been in place at the prior examination. Repeat violations may also arise when regulatory requirements are changed or amended. For example, the bank may have corrected the previous issue, but a regulatory change could result in a new infraction of the same code.
However, the FDIC’s Compliance Examination Procedures specifically state that violations are significant if they had appeared in the Significant Violations section of the ROE for the previous examination and are repeated in exactly the same manner at the current examination. Isolated repeat violations are not categorized as significant in the examination reports. Further, for our analysis of the repeat, significant violations involving 11 institutions, we relied on the examiners’ description of the significant violations as “repeat violations” in the Significant Violations sections of the ROEs.
Supervisory actions taken by DSC did not always ensure that institutions had corrected repeat, significant violations. Of the 14 institutions we reviewed, 5 institutions were subject to informal supervisory actions once their rating had changed from a “2” to a “3.” Table 2 below provides a summary of the actions.
Table 2: Supervisory Actions Taken for Significant Violations
|Institution||Type of Action||Year of Action||Follow-up Visitation by DSC||Year of Subsequent Examination||Repeat, Significant Violations Cited, and Action Terminated at Subsequent Examination|
a These supervisory actions were still in effect as of the date of our review.
b NA designates not applicable.
As shown in Table 2, repeat, significant violations still had not been corrected at three of the five institutions subject to informal supervisory actions when these actions had been terminated. Further, DSC concluded that the institutions had adequately complied with the provisions of the actions, even though the examinations of the institutions continued to identify repeat violations. Pages 8-10 of this report discuss, in detail, examples of the institutions in our sample that had been subject to informal supervisory actions and cited with repeat violations at the subsequent examination when the actions were terminated.
DSC’s revised Formal and Informal Action Procedures (FIAP) Manual, dated December 9, 2005, states that the FDIC generally initiates formal or informal corrective action against institutions with a composite safety and soundness or compliance rating of “3,” “4,” or “5,” unless specific circumstances warrant otherwise. Informal action is generally appropriate for institutions that receive a composite rating of “3” for safety and soundness or compliance. This rating indicates that the institution has weaknesses that, if left uncorrected, could cause the institution’s condition to deteriorate. Formal action[ 12 ] is generally initiated against an institution with a composite rating of “4” or “5” for safety and soundness or compliance if there is evidence of unsafe or unsound practices and/or conditions or concerns over a high volume or severity of violations at the institution. In more serious situations, however, formal action could be considered even for institutions that receive composite ratings of “1” or “2” for safety and soundness or compliance examinations to address specific actions or inactions by the institution. The FIAP manual also states that informal actions are particularly appropriate when the FDIC has communicated with bank management regarding deficiencies and has determined that the institution’s managers and board of directors are committed to, and capable of, taking corrective action with some direction but without initiation of a formal corrective action. However, informal actions are voluntary and not legally enforceable. As shown in Table 2 on the previous page, imposing informal actions does not necessarily result in the correction of repeat significant violations.
Compliance Management System
DSC did not adequately ensure that the financial institutions in our sample corrected compliance program deficiencies. All 14 institutions we reviewed had deficiencies and weaknesses noted in at least 1 ROE. In addition, as discussed in the next section of our report, DSC identified serious deficiencies and weaknesses in some of these financial institutions’ CMSs that remained uncorrected for extended periods.
To determine whether an institution has an effective CMS, DSC evaluates three interdependent elements, including (1) board management and oversight; (2) the institution’s compliance program, including training and monitoring; and (3) a compliance audit.[ 13 ] According to the Compliance Examination Procedures, when all elements are strong and working together, an institution will be successful at managing its compliance responsibilities and risks now and in the future. Noncompliance of consumer protection laws and regulations can result in monetary penalties, litigation, and formal enforcement actions. The responsibility for ensuring that an institution is in compliance appropriately rests with the institution’s board of directors and management.
Although the Compliance Examination Procedures do not cite a regulation requiring FDIC-supervised institutions to have a CMS, the FDIC expects every FDIC-supervised institution to have an effective CMS adapted to its unique business strategy. In June 2003, the FDIC issued guidance related to the Compliance Examination Procedures, informing institutions that the Corporation had revised its approach to examining institutions for compliance with consumer protection laws and regulations.[ 14 ] The new approach combined a risk-based examination process with an in-depth evaluation of an institution’s CMS.
Examples of Repeat, Significant Violations; CMS Deficiencies; and Supervisory Actions
The following examples illustrate repeat, significant compliance violations; CMS program deficiencies; and cases in which DSC supervisory actions were not always effective in ensuring that institutions took timely and complete corrective action.
- From 1997 to 2005, DSC cited 47 significant violations for Institution A, in our sample, that included 13 (28 percent) repeat violations. During examinations conducted in 1998, 2001, and 2003, Institution A was repeatedly cited for RESPA, TILA, HMDA, and TISA violations. As a result, DSC downgraded the institution’s compliance rating from a “2” to a “3,” and imposed an MOU in 2003, about 5 years after the initial citations. During the subsequent 2005 examination, the institution was cited for the fourth consecutive time for the same RESPA violation that had been cited in the 1998, 2001, and 2003 examinations and was cited for the third consecutive time for the same TILA and HMDA violations that had been identified in the 2001 and 2003 examinations. However, DSC concluded in its 2005 ROE that the MOU had proven to be an effective tool for correcting the deficiencies identified at previous examinations. As a result of the improvements, DSC recommended that the MOU be terminated. In addition, DSC reported continued program deficiencies, which included training, during two consecutive examinations.
- From 1997 to 2005, DSC cited 77 significant violations for Institution B, in our sample, that included 17 (22 percent) repeat violations. During examinations conducted in 1999, 2001, and 2003, Institution B was repeatedly cited for flood insurance, RESPA and HMDA violations.[ 15 ] As a result of the 2003 examination, DSC downgraded the bank’s compliance rating from a “2” to a “3.” The bank adopted a BBR in 2004, about 5 years after the initial citations, requiring that bank management correct all violations listed in the compliance report and initiate appropriate procedures to prevent their recurrence. In its March 2005 ROE, DSC states that Institution B had adequately addressed the requirements of the BBR, even though DSC cited the bank for the fourth consecutive time for the same HMDA violation that had been cited in the 1999, 2001, and 2003 examinations. Further, DSC reported program deficiencies in five consecutive examinations, citing weaknesses in the CMS program that included a lack of comprehensive review procedures, training, and the bank’s audit function.
- From 1997 to 2005, DSC cited 44 significant violations for Institution F, in our sample, that included 5 (11 percent) repeat violations. During examinations conducted in 1998, 2000, and 2003, Institution F was repeatedly cited for RESPA violations. In the 1998 examination, when the initial citation was made, the bank promised future compliance. However, the same violation was cited at the subsequent 2000 examination and again in the 2003 ROE. During the 2005 examination, Institution F was also cited for repeat TISA and ECOA significant violations. Program deficiencies were also noted during two consecutive examinations. DSC recommended that the institution adopt a written CMS program and internal review procedures to prevent the recurrence of the violations.
- From 1997 to 2005, DSC cited 44 significant violations for Institution C, in our sample, that included 7 (16 percent) repeat violations. During examinations conducted in 1997, 2003,[ 16 ] and 2005, Institution C was repeatedly cited for TILA violations. In the 1997 ROE, when the initial citation was made, bank personnel promised future compliance. However, the same violation was subsequently cited for the third time in the 2005 ROE when DSC downgraded the bank’s compliance rating from a “2” to a “3” and the bank adopted a BBR. In addition, DSC described the institution’s CMS as lacking a compliance program and internal monitoring procedures and having inadequate training and review procedures identified by three consecutive examinations.
- From 1997 to 2005, DSC cited 58 significant violations for Institution D, in our sample, that included 6 (10 percent) repeat violations. During examinations conducted in 1997, 1999, and 2002, Institution D was repeatedly cited for RESPA and other significant violations. The total number of significant violations more than doubled between the 1999 and 2002 examinations and were categorized by DSC as “more serious.” As a result, DSC downgraded the compliance rating for Institution D from a “2” in 1999 to a “3” in 2002. The 2002 ROE stated that the prior ROE informed the bank’s board and management that the number of violations had doubled and repeat violations had occurred because the written compliance policy had not been implemented and effective program tools such as monitoring, audit, and training had not been established or implemented. An MOU was imposed on the institution in 2003, and DSC conducted a visitation during 2004 to assess the bank’s compliance with the MOU. In response, the bank corrected a majority of the violations cited during the 2002 examination, but some violations had not been corrected. For example, during the 2005 examination, the institution was cited for the third consecutive time for the same flood insurance violation that had been cited in the 1999 and 2002 examinations.
The FDIC’s Deputy to the Chairman and Chief Operating Officer has said publicly that the FDIC’s supervision and enforcement of consumer laws and regulations are part of ensuring public confidence in the banking system. Without effective enforcement, consumers and businesses may not obtain the benefits and protection afforded them by such laws and regulations. Consumer protection laws are intended to deter financial institutions from committing such acts as:
- discrimination based on race, color, religion, national origin, sex, marital status, and age in any aspect of a credit transaction, including residential real-estate-related transactions, such as making loans to buy, build, repair, or improve a dwelling;
- failure to provide borrowers with pertinent and timely disclosures regarding the nature and costs of the real estate settlement process; and
- inaccurate and unfair credit billing, credit card, and leasing transactions.
In addition, violations of consumer laws and regulations can give rise to civil liability for damages and, in TILA cases, administrative adjustments for understated finance charges or annual percentage rates.
We recommend that the Director, DSC, strengthen guidance related to the monitoring and follow-up processes for compliance violations by revising:
- The Compliance Examination Procedures to require follow-up between examinations on repeat, significant compliance violations and program deficiencies.
- The FIAP manual to require consideration of supervisory actions when any institution’s corrective action on repeat, significant violations is not timely or when repeat, significant violations are a recurring examination finding.
DSC’s 2005 Performance Goals
DSC does not have a performance goal[ 17 ] associated with the supervision of institutions rated “1,” “2,” and “3” that are cited with repeat, significant compliance violations. Instead, one of DSC’s 2005 annual performance goals was to take prompt and effective supervisory action to monitor and address problems identified during compliance examinations of FDIC-supervised institutions that receive a “4” or “5” rating for compliance with consumer protection and fair lending laws. However, of the 837 institutions with repeat significant violations in 2005, 708 (85 percent) institutions were rated “1” and “2” and 126 (15 percent) institutions were rated “3.” Only three institutions were rated “4,” and none were rated “5.”
Examiners are instructed to document, for each violation and CMS program deficiency, corrective actions taken by management during the examination and commitments for future corrective action. DSC does not require a response from bank management on corrective actions unless the institution is rated a “3,” “4,” or “5.” According to DSC, a “1” or “2” rating indicates that the institution has a CMS that is sufficient for correcting violations and deficiencies in the normal course of business. However, examinations of institutions rated “1” or “2” are identifying numerous instances of repeat, significant violations. As a result, the FDIC’s performance goals did not address the majority of repeat, significant violations.
We recommend that the Director, DSC, revise:
- DSC’s performance goals to focus more broadly on institutions with repeat, significant violations.
Ratings Consideration of Institution Compliance Training
As summarized in Appendix II of this report, each financial institution is assigned a consumer compliance rating predicated upon an evaluation of the nature and extent of its present compliance with consumer protection and civil rights statutes and regulations and the adequacy of its operating systems designed to ensure compliance on a continuing basis.
The FDIC’s compliance ratings standards specifically state, “An institution that is assigned a rating of ‘2’ is in generally strong compliance. Management is capable of administering an effective compliance program. Compliance training is satisfactory, and there is no evidence of practices resulting in repeat violations.”
While we are not questioning the assigned rating or the relative weighting given to the training component of the compliance program, we are nonetheless concerned about the apparent inconsistency between the ROEs and the ratings’ definitions. Specifically, we observed that the narratives for 29 (81 percent) of the 36 ROEs for institutions in our sample assigned a “2” rating appeared inconsistent with the definition of a “2” rating. All 29 of the ROEs identified the lack of training as the cause or a contributing factor for the significant violations identified in the ROEs. However, compliance ratings standards state that training has to be satisfactory for a “2” rating. In addition, 11 of the 14 institutions in our sample that were rated a “2” had repeat significant violations as identified by DSC. The examples below illustrate that the ROE narratives for these 29 institutions were not consistent with the definition of a “2” rating.
- Institution G’s 2005 ROE summary states, “The bank’s training program is generally adequate; however, several of the violations noted in this report are attributed to a lack of training. The lack of appropriate monitoring procedures and training has resulted in 15 violations including reimbursable violations of [TILA], repeat violations of Equal Credit Opportunity and Consumer Protection in the Sales of Insurance, and violations of Home Mortgage Disclosure and Flood Insurance, among others.”
- Institution H’s 1998 ROE summary states “The compliance program deficiencies include weak monitoring, poor audit coverage and response time, as well as inefficient training.” DSC cited seven significant violations, including RESPA, Flood Insurance, EFTA, and HMDA violations.
- During its 1997 examination, Institution D was cited for 18 significant violations that were attributed to management oversight and being unaware or misunderstanding the specific compliance requirements. In 1999, DSC cited Institution D for 19 violations, including a repeat RESPA violation. DSC reported that “The bank has a written, Board-approved compliance policy that calls for the development of compliance procedures, staff training, and periodic testing. However, the policy has not been implemented to any significant degree.” DSC further reported that “bank management should take immediate steps to reinforce the bank’s compliance efforts through some form of systematic training and the establishment of internal monitoring procedures.” In 2003, over 3 years later, DSC imposed an MOU on the bank, recommending that training be improved. DSC conducted a visitation in 2004 and reported that the institution had made good progress in improving its training system. The institution’s rating was upgraded to satisfactory in 2005, even though four significant violations were cited, and one was a repeat violation cited in the previous two examinations.
We are not making any recommendations on this observation. DSC officials told us that an FFIEC task force is reviewing the definitions of the compliance ratings for institutions. We encourage DSC to share our observation with the task force for its consideration when revising the compliance rating definitions.
CORPORATION COMMENTS AND OIG EVALUATION
On September 29, 2006, the Acting Director, DSC, provided a written response to a draft of this report. The DSC response is presented in its entirety in Appendix V. Overall, DSC agreed to take corrective actions that are responsive to the recommendations. Appendix VI contains a summary of management’s response to the recommendations. The recommendations are resolved but will remain open until we have determined that the agreed-to actions have been completed and are effective.
In response to recommendations 1 and 3, DSC stated that it intends to analyze the prevalence and scope of repeatedly cited, significant violations to determine whether any changes in DSC policies and/or performance goals are necessary. DSC will complete this analysis and implement appropriate actions by September 30, 2007.
In response to recommendation 2, DSC stated that current FDIC guidance already permits DSC to consider taking supervisory action against highly rated banks. Further, DSC stated that the FIAP manual presents a clear statement of DSC policy as follows:
In more serious situations, however, formal action could be considered even for institutions that receive composite ratings of “1” or “2” for safety and soundness or compliance examinations to address specific actions or inactions by the institution.
Nonetheless, DSC agreed to reevaluate current FDIC and FFIEC guidance to determine whether enhancements or clarifications are needed. DSC will complete this process by September 30, 2007. With regard to this recommendation, we encourage the FDIC to consider the full range of supervisory actions available to address repeat, significant compliance violations, not just formal actions as addressed in the FIAP manual.
In addition to specifically addressing the recommendations in our report, DSC’s response included general comments regarding our findings. The response also discussed DSC’s commitment to consumer protection and its response to significant violations discovered during compliance examinations.
In discussing its commitment to consumer protection, DSC stated that, during the 8-year period covered by our audit, DSC issued 1,075 formal and informal enforcement actions to ensure that institutions under FDIC supervision complied with consumer protection laws and regulations. DSC also stated that, over the same period, it required banks to refund over $10 million to 220,567 consumers as a result of TILA violations and to make over $5 million in reimbursement to consumers harmed by unfair and deceptive practices prohibited by the Federal Trade Commission Act.
With respect to violations discovered during compliance examinations, DSC pointed out that, although our report focused on repeat, significant violations cited in examination reports, all but five of these reports were assigned either a “1” or a “2” compliance rating to the banks involved. DSC further stated that it believes that institutions with a “1” or “2” compliance rating have “strong” or “generally strong” compliance programs and are capable of addressing problems. At the next examination, consistent with FDIC examination procedures, DSC follows up on institution efforts to correct violations. In addition, DSC believes that some violations represent less risk to consumers, which DSC takes into consideration as part of the evaluation process to determine the need for follow up.
While we take no exception to these comments, our view is that repeat, significant violations should be considered more serious for purposes of supervisory action and follow-up on corrective action by institutions. As noted in our report, our review of the 14 institutions in our sample found that 11 (79 percent) institutions had repeat, significant violations. As shown in our examples, the institutions repeatedly violated the same laws and regulations for several years before DSC took any supervisory action.
With respect to our report’s observation on ratings, DSC stated that the FDIC strives diligently to present examination findings in a consistent manner and validates the processes by secondary review and a strong internal control program. DSC also stated that each rating is based on a qualitative analysis of the factors comprising that rating, with some factors given more weight than others, depending on the situation. Finally, in its response to our report, DSC states that we say the ratings observation is outside the scope of our audit. In our report, we did not question the assigned rating or the relative weighting given to the training or other components of the compliance program or the process that resulted in those ratings. While these matters are within the scope of the audit, our intent was only to express concern about the possible inconsistency between the assigned ratings and the ratings’ definitions. We acknowledge that the FFIEC has a task force reviewing the ratings definitions and hope that this information is useful in that regard.
OBJECTIVE, SCOPE, AND METHODOLOGY
The objective of this audit was to determine whether DSC adequately addresses the violations and program deficiencies reported in compliance examinations to ensure that FDIC-supervised institutions take appropriate corrective action. For purposes of this audit, we made a distinction between corrective actions taken by bank management to address compliance violations and actions taken by the FDIC to ensure compliance. The FDIC’s actions include efforts to follow up with bank management after examinations, including correspondence, follow-up visitations or examinations, and the use of supervisory action. Supervisory action includes informal supervisory actions (such as BBRs or MOUs) and formal enforcement actions (such as cease and desist orders) to prompt management action. We performed our audit from January 2006 through July 2006 in accordance with generally accepted government auditing standards.
Scope and Methodology
We judgmentally selected for review 14 institutions with significant compliance violations in 2004 or 2005 from 3 DSC regions. The 14 institutions had a total of 431 significant violations for the period January 1, 1997 to December 31, 2005 and ranged in asset size from $34 million to $6.5 billion. We have provided the names of the referenced institutions to DSC under separate cover. We analyzed DSC’s process for identifying, reporting, and referring compliance violations and program deficiencies for appropriate corrective actions, and we assessed the adequacy of DSC actions to follow up and evaluate corrective actions promised and/or taken by bank management.
To achieve the audit objective, we interviewed FDIC officials in:
- DSC’s headquarters in Washington, D.C., and the Kansas City and Chicago Regional Offices responsible for conducting supervisory compliance examinations.
In addition, we did the following:
- Reviewed a prior OIG audit report, which is summarized in the Prior Coverage section of this appendix.
- Reviewed applicable FDIC rules and regulations, FDIC procedure manuals, DSC Regional Directors Memoranda, FILs, and DSC Internal Review Reports related to compliance examinations.
- Reviewed other government agency Web sites for information on laws and regulations pertaining to consumer rights and compliance violations.
- Verified with DSC our selection of the following categories of consumer protection laws and regulations:
- Flood Insurance
- Reviewed the FDIC Strategic Plan for 2005-2010 for performance measures related to consumer protection.
- Consulted the Counsel to the Inspector General to assist in verifying applicable criteria and researching potential legal issues.
We identified DSC’s internal controls related to the risk-focused examination process for compliance examinations, including the identification of and follow-up on significant compliance violations and program deficiencies. We reviewed and assessed controls related to DSC follow-up on significant compliance violations and program deficiencies. Our review identified weaknesses in these areas as described in the findings section of our report. We did not assess the adequacy of controls over DSC’s examination process or the compliance ratings assigned during the examination. We also did not determine whether DSC should have taken more stringent enforcement actions (i.e., formal actions) with respect to significant repeat consumer violations.
Reliance on Computer-based Data
We determined through interviews and information available on the DSC Web site that the DSC SOURCE system is the primary tool DSC uses to track and document compliance examinations of FDIC-supervised institutions. During the audit, we conducted limited testing of SOURCE data to determine its accuracy as it related to tracking significant compliance violations identified in ROEs. Of the 431 violations reviewed in our sample, we identified 1 significant compliance violation that was reported during an examination but was not included in SOURCE. We brought this item to DSC’s attention. For the purposes of the audit, we did not rely on SOURCE system data. Our assessment centered on reviews of hardcopy ROEs, examination workpapers, and other documents such as progress reports and correspondence files. We also determined that DSC performs internal reviews to ensure that SOUCE data are accurate.
Compliance With Laws and Regulations
We reviewed DSC’s revised Compliance Examination Procedures (Transmittal No. 2005-035, dated August 18, 2005) to identify guidance for examiners to use when assessing an institution’s CMS, which must adequately address (through oversight, policies and procedures, training, monitoring, complaint process, and audit) all areas related to compliance rules and regulations. For purposes of this audit, we reviewed eight statutes: EFTA, ECOA/FHA, Flood Insurance, HMDA, Privacy, RESPA, TILA, and TISA. We did not identify any instances of FDIC noncompliance with these laws and regulations although our audit identified areas for strengthening DSC’s supervisory efforts for implementing and enforcing institution compliance with these laws.
The Government Performance and Results Act of 1993 directs Executive Branch agencies to develop a strategic plan, align agency programs and activities with concrete missions and goals, manage and measure results to justify appropriations and authorizations, and design budgets that reflect strategic missions. In fulfilling its primary supervisory responsibilities, the FDIC pursues two strategic goals:
- FDIC-supervised institutions are safe and sound, and
- consumers’ rights are protected, and FDIC-supervised institutions invest in their communities.
The FDIC’s strategic goals are implemented through the Corporation’s Annual Performance Plan. The annual plan identifies performance goals, indicators, and targets for each strategic objective. DSC’s 2005 Annual Performance Plan contained one goal related to the scope of our audit — to take prompt and effective supervisory action to monitor and address problems identified during compliance examinations of FDIC-supervised institutions that receive a “4” or “5” rating for compliance with consumer protection and fair lending laws. The Other Matters section of our report discusses our review of this area.
Fraud and Illegal Acts
The objective of this audit did not lend itself to testing for fraud and illegal acts. Accordingly, the survey and audit programs did not include specific audit steps to test for fraud and illegal acts. However, we were alert to situations or transactions that could have been indicative of fraud or illegal acts, and no such acts came to our attention.
In September 2005, the OIG issued Audit Report No. 05-038, Division of Supervision and Consumer Protection’s Risk-focused Compliance Examination Process. The overall objective was to determine whether DSC’s risk-focused compliance examination process results in examinations that are adequately planned and effective in assessing financial institution compliance with consumer protection laws and regulations. We found that examination documentation did not always show the transaction testing or spot checks conducted during the on-site portion of the examinations, including testing to ensure reliability of the institutions’ compliance review functions. Also, examiners did not always document whether the examination reviewed all the compliance areas in the planned scope of review.
CONSUMER COMPLIANCE RATING SYSTEM
By order of the Federal Financial Institutions Examination Council (FFIEC) in November 1980, each financial institution is assigned a consumer compliance rating predicated upon an evaluation of the nature and extent of its present compliance with consumer protection and civil rights statutes and regulations and the adequacy of its operating systems designed to ensure compliance on a continuing basis. The rating system is based on a scale of “1” through “5.” An institution rated a “1” represents the highest rating and has the lowest level of supervisory concern, while a “5” rating represents the lowest, most critically deficient level of performance and, therefore, the highest degree of supervisory concern. Consumer Compliance Ratings are defined and distinguished as follows.
A “1” Rating
An institution in this category is in a strong compliance position. Management is capable of, and staff is sufficient for, effectuating compliance. An effective compliance program, including an efficient system of internal procedures and controls, has been established. Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures, and compliance training. The institution provides adequate training for its employees. If any violations are noted, they relate to relatively minor deficiencies in forms or practices that are easily corrected. There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations. Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.
A “2” Rating
An institution in this category is in a generally strong compliance position. Management is capable of administering an effective compliance program. Although a system of internal operating procedures and controls has been established to ensure compliance, violations have nonetheless occurred. These violations, however, involve technical aspects of the law or result from oversight on the part of operating personnel. Modification in the bank’s compliance program and/or the establishment of additional review/audit procedures may eliminate many of the violations. Compliance training is satisfactory. There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations.
A “3” Rating
Generally, an institution in this category is in a less than satisfactory compliance position. A “3” rating is a cause for supervisory concern and requires more than normal supervision to remedy deficiencies. Violations may be numerous. In addition, previously identified practices resulting in violations may remain uncorrected. Overcharges, if present, involve a few consumers and are minimal in amount. There is no evidence of discriminatory acts or practices. Although management may have the ability to effectuate compliance, increased efforts are necessary. The numerous violations discovered are an indication that management has not devoted sufficient time and attention to consumer compliance. Operating procedures and controls have not proven effective and require strengthening. This may be accomplished by, among other things, designating a compliance officer and developing and implementing a comprehensive and effective compliance program. By identifying an institution with marginal compliance early, additional supervisory measures may be employed to eliminate violations and prevent further deterioration in the institution’s less-than-satisfactory compliance position.
A “4” Rating
An institution in this category requires close supervisory attention and monitoring to promptly correct the serious compliance problems disclosed. Numerous violations are present. Overcharges, if any, affect a significant number of consumers and involve a substantial amount of money. Often, practices resulting in violations and cited at previous examinations remain uncorrected. Discriminatory acts or practices may be in evidence. Clearly, management has not exerted sufficient effort to ensure compliance. Management’s attitude may indicate a lack of interest in administering an effective compliance program which may have contributed to the seriousness of the institution’s compliance problems. Internal procedures and controls have not proven effective and are seriously deficient. Prompt action on the part of the supervisory agency may enable the institution to correct its deficiencies and improve its compliance position.
A “5” Rating
An institution in this category is in need of the strongest supervisory attention and monitoring. It is substantially in noncompliance with the consumer statutes and regulations. Management has demonstrated its unwillingness or inability to operate within the scope of consumer statutes and regulations. Previous efforts on the part of the regulatory authority to obtain voluntary compliance have been unproductive. Discrimination, substantial overcharges, or practices resulting in serious repeat violations are present.
SIGNIFICANT AND CONSECUTIVE SIGNIFICANT VIOLATIONS CITED FROM JANUARY 1, 2005 TO DECEMBER 31, 2005
|Region||Number of FDIC-Supervised Institutionsa
|Number of Institutions Examinedb
|Number of Institutions Examined with Significant Violations
|Percentage of Institutions Examined with Significant Violations
|Number of Institutions with Consecutive Significant Violations
|Percentage of Institutions with Consecutive Significant Violations
Source: OIG analysis and DSC’s tracking system, SOURCE.
a As of July 26, 2006.
b Represents examination period January 1, 2005 through December 31, 2005.
CONSUMER PROTECTION LAWS
The primary consumer-protection statutes and associated regulations discussed in this report are summarized below. There are other consumer-protection laws and regulations, but based on input from DSC, we limited our work to the following:
Electronic Fund Transfer Act (EFTA) – This Act establishes the basic rights, liabilities, and responsibilities of consumers who use electronic fund transfer services and of financial institutions that offer these services. The primary objective of the Act is the protection of individual consumers engaging in electronic fund transfers. The FRB’s Regulation E implements this statute.
Equal Credit Opportunity Act (ECOA) – ECOA prohibits creditor practices that discriminate based on race, color, religion, national origin, sex, marital status, or age. The Federal Reserve Board (FRB) issued Regulation B, which describes lending acts and practices that are specifically prohibited, permitted, or required under ECOA.
Fair Housing Act (FHA) – The FHA prohibits discrimination based on race, color, religion, national origin, sex, familial status, and handicap in residential real-estate-related transactions, including making loans to buy, build, repair, or improve a dwelling. Lenders may not discriminate in mortgage lending based on any of the prohibited factors. The U.S. Department of Housing and Urban Development (HUD) has issued regulations to implement the FHA; the FDIC has issued regulations at Part 338 of its Rules and Regulations (12 Code of Federal Regulations (C.F.R.) Part 338) regarding advertising and recordkeeping.
National Flood Insurance Act of 1968, National Flood – This Act established a nationwide flood insurance program and requires the identification of flood-prone areas and communication of such information. The bank regulators are to require lenders to notify borrowers of special flood hazards. The financial regulators have issued regulations that prohibit banks from providing or extending loans where the property securing the loan is in an area with special flood hazards, unless flood insurance has been obtained. The FDIC’s regulations are at (12 C.F.R. Part 339).
Home Mortgage Disclosure Act (HMDA) – HMDA was enacted to provide information to the public and federal regulators regarding how depository institutions are fulfilling their obligations towards community housing needs. FRB Regulation C requires depository and certain for-profit, non-depository institutions (such as mortgage companies and other lenders) to collect, report, and disclose data about originations and purchases of home mortgage, home equity, and home improvement loans. Institutions must also report data about applications that do not result in loan originations.
Gramm-Leach-Bliley Act of 1999 (Privacy) – According to title V, Privacy, of this Act, financial institutions are required to: ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to, or use of, customer information that could result in substantial harm or inconvenience to any consumer. This Act provides the “privacy” protections covered in our report. The financial regulators have issued implementing regulations. The FDIC’s regulations are located principally at 12 C.F.R. Part 332.
Real Estate Settlement Procedures Act (RESPA) – RESPA requires lenders, mortgage brokers, or servicers of home loans to provide borrowers with pertinent and timely disclosures regarding the nature and costs of the real estate settlement process. The Act also protects borrowers against certain abusive practices, such as kickbacks, and places limitations upon the use of escrow accounts. HUD promulgated Regulation X, which implements RESPA. Also, the FRB’s Regulation Z addresses certain residential mortgage and variable-rate transactions that are subject to RESPA.
Truth in Lending Act (TILA) – TILA requires meaningful disclosure of credit and leasing terms so that consumers will be able to more readily compare terms in different credit and lease transactions. TILA also protects the consumer against inaccurate and unfair credit billing, credit card, and leasing transactions. FRB issued Regulation Z, which implements TILA. The regulation requires accurate disclosure of true cost and terms of credit. The regulation also regulates certain credit card practices, provides for fair and timely resolution of credit billing disputes, and requires that a maximum interest rate be stated in variable rate contracts secured by the consumer’s dwelling.
Truth in Savings Act (TISA) – The TISA requires the clear and uniform disclosure of the rates of interest, which are payable on deposit accounts by depository institutions and the fees that are assessable against deposit accounts, so that consumers can make a meaningful comparison between the competing claims of depository institutions with regard to deposit accounts. FRB’s Regulation DD implements this statute.
|[ D ]|
|[ D ]|
|[ D ]|
MANAGEMENT RESPONSE TO RECOMMENDATIONS
|This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.|
|Corrective Action: Taken or Planned/Status||Expected
|Monetary Benefits||Resolved: [ a ] Yes or No||
Open or Closed [ b ]
|DSC intends to analyze the prevalence and scope of repeatedly cited, significant violations over the next year. The substance and level of risk to consumers related to these violations will be used to evaluate whether any changes in DSC policies are necessary.||September 30, 2007||$0||Yes||Open|
|DSC will review existing guidance related to identifying and documenting third-party residential mortgage lending relationships and, where necessary, issue revised guidance.||September 30, 2007||$0||Yes||Open|
|DSC will remind examiners to use the checklist for HMDA data reviews within the framework of the FDIC’s refocused compliance examination procedures.||September 30, 2007||$0||Yes||Open|
|a Resolved –||(1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.|
|(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.|
|(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.|
|b Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.|